./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor4075711816 <...> Warning: Permanently added '10.128.0.66' (ECDSA) to the list of known hosts. execve("./syz-executor4075711816", ["./syz-executor4075711816"], 0x7ffe6547d0e0 /* 10 vars */) = 0 brk(NULL) = 0x555555e66000 brk(0x555555e66c40) = 0x555555e66c40 arch_prctl(ARCH_SET_FS, 0x555555e66300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 set_tid_address(0x555555e665d0) = 5026 set_robust_list(0x555555e665e0, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x7f5f44c9ce20, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f5f44c9d4f0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7f5f44c9cec0, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f5f44c9d4f0}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor4075711816", 4096) = 28 brk(0x555555e87c40) = 0x555555e87c40 brk(0x555555e88000) = 0x555555e88000 mprotect(0x7f5f44d63000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 futex(0x7f5f44d696ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f5f44c6c000 mprotect(0x7f5f44c6d000, 131072, PROT_READ|PROT_WRITE) = 0 clone(child_stack=0x7f5f44c8c3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5027], tls=0x7f5f44c8c700, child_tidptr=0x7f5f44c8c9d0) = 5027 futex(0x7f5f44d696e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 futex(0x7f5f44d696ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5027 attached [pid 5027] set_robust_list(0x7f5f44c8c9e0, 24) = 0 [pid 5027] memfd_create("syzkaller", 0) = 3 [pid 5027] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5f3c86c000 syzkaller login: [ 79.324874][ T5027] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=5027 'syz-executor407' [pid 5027] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 20699119) = 20699119 [pid 5027] munmap(0x7f5f3c86c000, 20699119) = 0 [pid 5027] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5027] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5027] close(3) = 0 [pid 5027] mkdir("./bus", 0777) = 0 [ 79.572530][ T5027] loop0: detected capacity change from 0 to 40427 [ 79.592282][ T5027] F2FS-fs (loop0): Found nat_bits in checkpoint [pid 5027] mount("/dev/loop0", "./bus", "f2fs", 0, "noextent_cache,lazytime,background_gc=sync,") = 0 [pid 5027] openat(AT_FDCWD, "./bus", O_RDONLY|O_DIRECTORY) = 3 [pid 5027] chdir("./bus") = 0 [pid 5027] ioctl(4, LOOP_CLR_FD) = 0 [pid 5027] close(4) = 0 [pid 5027] futex(0x7f5f44d696ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5027] futex(0x7f5f44d696e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5026] <... futex resumed>) = 0 [pid 5026] futex(0x7f5f44d696e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5026] futex(0x7f5f44d696ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5027] <... futex resumed>) = 0 [pid 5027] openat(AT_FDCWD, "freezer.self_freezing", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [pid 5027] futex(0x7f5f44d696ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 5026] <... futex resumed>) = 0 [pid 5026] futex(0x7f5f44d696e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5026] futex(0x7f5f44d696ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5027] <... futex resumed>) = 1 [ 79.636691][ T5027] F2FS-fs (loop0): Mounted with checkpoint version = 48b305e5 [pid 5027] write(4, "\x4c\x87\xd9\x5e\xbf\x9d\xf7\xd2\xf5\x6a\xed\x85\x6a\xed\x6e\xa5\xb6\x97\x37\xb3\x41\xb6\x56\xa9\x77\x9b\x77\xd7\xd2\xc5\x56\x67\x74\x5a\x65\x90\xd5\xbb\x1b\xad\x3c\x6f\x75\xb2\x6a\x23\xef\x2e\xa5\x8b\xad\x46\xa3\x52\xab\xa5\x8b\xf7\xb2\xed\x76\xbd\x97\xd6\x6a\xd5\xd5\xea\x72\x65\x7d\xa9\xdc\xbb\x93\xbe\xfa\xe0\xdd\xb4\xd3\x4c\x17\x47\xf9\x72\xbb\xb7\x3f\x68\x77\xfa\xe9\x4e\xbe\x97\xc6\x4f\x2c\xa5"..., 34136651 [pid 5026] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5026] futex(0x7f5f44d696fc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5026] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f5f3dc09000 [pid 5026] mprotect(0x7f5f3dc0a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5026] clone(child_stack=0x7f5f3dc293f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5033 attached , parent_tid=[5033], tls=0x7f5f3dc29700, child_tidptr=0x7f5f3dc299d0) = 5033 [pid 5026] futex(0x7f5f44d696f8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5026] futex(0x7f5f44d696fc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5033] set_robust_list(0x7f5f3dc299e0, 24) = 0 [ 79.721819][ T5033] [ 79.724274][ T5033] ====================================================== [ 79.731295][ T5033] WARNING: possible circular locking dependency detected [ 79.738323][ T5033] 6.4.0-rc6-next-20230614-syzkaller #0 Not tainted [ 79.744831][ T5033] ------------------------------------------------------ [ 79.751939][ T5033] syz-executor407/5033 is trying to acquire lock: [ 79.758349][ T5033] ffff888076c40a28 (&sb->s_type->i_mutex_key#15){+.+.}-{3:3}, at: f2fs_file_mmap+0x154/0x290 [ 79.768568][ T5033] [ 79.768568][ T5033] but task is already holding lock: [ 79.775928][ T5033] ffff8880787d3768 (&mm->mmap_lock){++++}-{3:3}, at: vm_mmap_pgoff+0x158/0x3b0 [ 79.784912][ T5033] [ 79.784912][ T5033] which lock already depends on the new lock. [ 79.784912][ T5033] [ 79.795318][ T5033] [ 79.795318][ T5033] the existing dependency chain (in reverse order) is: [ 79.804507][ T5033] [ 79.804507][ T5033] -> #1 (&mm->mmap_lock){++++}-{3:3}: [ 79.812251][ T5033] down_read+0x9c/0x480 [ 79.816968][ T5033] do_user_addr_fault+0xb3d/0x1210 [ 79.822628][ T5033] exc_page_fault+0x98/0x170 [ 79.827772][ T5033] asm_exc_page_fault+0x26/0x30 [ 79.833161][ T5033] fault_in_readable+0x129/0x210 [ 79.838650][ T5033] fault_in_iov_iter_readable+0x252/0x2c0 [ 79.844913][ T5033] f2fs_file_write_iter+0x516/0x2500 [ 79.850736][ T5033] vfs_write+0x960/0xd70 [ 79.855516][ T5033] ksys_write+0x122/0x250 [ 79.860379][ T5033] do_syscall_64+0x39/0xb0 [ 79.865331][ T5033] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 79.871781][ T5033] [ 79.871781][ T5033] -> #0 (&sb->s_type->i_mutex_key#15){+.+.}-{3:3}: [ 79.880495][ T5033] __lock_acquire+0x2e9d/0x5e20 [ 79.885905][ T5033] lock_acquire.part.0+0x11c/0x370 [ 79.891566][ T5033] down_write+0x92/0x200 [ 79.896361][ T5033] f2fs_file_mmap+0x154/0x290 [ 79.901571][ T5033] mmap_region+0x99c/0x2770 [ 79.906604][ T5033] do_mmap+0x850/0xee0 [ 79.911228][ T5033] vm_mmap_pgoff+0x1a2/0x3b0 [ 79.916349][ T5033] ksys_mmap_pgoff+0x42b/0x5b0 [ 79.921700][ T5033] do_syscall_64+0x39/0xb0 [ 79.926657][ T5033] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 79.933086][ T5033] [ 79.933086][ T5033] other info that might help us debug this: [ 79.933086][ T5033] [ 79.943356][ T5033] Possible unsafe locking scenario: [ 79.943356][ T5033] [ 79.950810][ T5033] CPU0 CPU1 [ 79.956172][ T5033] ---- ---- [ 79.961532][ T5033] lock(&mm->mmap_lock); [ 79.965868][ T5033] lock(&sb->s_type->i_mutex_key#15); [ 79.973858][ T5033] lock(&mm->mmap_lock); [ 79.980727][ T5033] lock(&sb->s_type->i_mutex_key#15); [ 79.986201][ T5033] [ 79.986201][ T5033] *** DEADLOCK *** [ 79.986201][ T5033] [ 79.994339][ T5033] 1 lock held by syz-executor407/5033: [ 79.999798][ T5033] #0: ffff8880787d3768 (&mm->mmap_lock){++++}-{3:3}, at: vm_mmap_pgoff+0x158/0x3b0 [ 80.009223][ T5033] [ 80.009223][ T5033] stack backtrace: [ 80.015107][ T5033] CPU: 1 PID: 5033 Comm: syz-executor407 Not tainted 6.4.0-rc6-next-20230614-syzkaller #0 [ 80.025032][ T5033] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 [ 80.035091][ T5033] Call Trace: [ 80.038371][ T5033] [ 80.041306][ T5033] dump_stack_lvl+0xd9/0x150 [ 80.045916][ T5033] check_noncircular+0x2df/0x3b0 [ 80.050874][ T5033] ? print_circular_bug+0x740/0x740 [ 80.056122][ T5033] ? write_profile+0x450/0x450 [ 80.060919][ T5033] ? arch_stack_walk+0x97/0xf0 [ 80.065710][ T5033] __lock_acquire+0x2e9d/0x5e20 [ 80.070592][ T5033] ? mmap_region+0x422/0x2770 [ 80.075282][ T5033] ? do_mmap+0x850/0xee0 [ 80.079529][ T5033] ? vm_mmap_pgoff+0x1a2/0x3b0 [ 80.084302][ T5033] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 80.090305][ T5033] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 80.096399][ T5033] lock_acquire.part.0+0x11c/0x370 [ 80.101542][ T5033] ? f2fs_file_mmap+0x154/0x290 [ 80.106407][ T5033] ? lock_sync+0x190/0x190 [ 80.111368][ T5033] ? rcu_is_watching+0x12/0xb0 [ 80.116149][ T5033] ? trace_lock_acquire+0x12d/0x180 [ 80.121453][ T5033] ? f2fs_file_mmap+0x154/0x290 [ 80.126313][ T5033] ? lock_acquire+0x32/0xc0 [ 80.130835][ T5033] ? f2fs_file_mmap+0x154/0x290 [ 80.135700][ T5033] down_write+0x92/0x200 [ 80.139970][ T5033] ? f2fs_file_mmap+0x154/0x290 [ 80.144837][ T5033] ? down_write_killable_nested+0x250/0x250 [ 80.150761][ T5033] ? __raw_spin_lock_init+0x3a/0x110 [ 80.156076][ T5033] f2fs_file_mmap+0x154/0x290 [ 80.160782][ T5033] mmap_region+0x99c/0x2770 [ 80.165299][ T5033] ? do_munmap+0xf0/0xf0 [ 80.169552][ T5033] ? security_mmap_addr+0x77/0xa0 [ 80.174630][ T5033] ? get_unmapped_area+0x1ee/0x3d0 [ 80.179765][ T5033] do_mmap+0x850/0xee0 [ 80.183848][ T5033] vm_mmap_pgoff+0x1a2/0x3b0 [ 80.188548][ T5033] ? randomize_page+0xb0/0xb0 [ 80.193334][ T5033] ksys_mmap_pgoff+0x42b/0x5b0 [ 80.198302][ T5033] do_syscall_64+0x39/0xb0 [ 80.202820][ T5033] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 80.208817][ T5033] RIP: 0033:0x7f5f44cdf4d9 [ 80.213238][ T5033] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 80.232859][ T5033] RSP: 002b:00007f5f3dc292f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 [ 80.241285][ T5033] RAX: ffffffffffffffda RBX: 00007f5f44d696f8 RCX: 00007f5f44cdf4d9 [ 80.249273][ T5033] RDX: 000000000000000b RSI: 0000000000b36000 RDI: 0000000020000000 [ 80.257252][ T5033] RBP: 00007f5f44d696f0 R08: 0000000000000004 R09: 0000000000000000 [ 80.265227][ T5033] R10: 0000000000028011 R11: 0000000000000246 R12: 00007f5f44d696fc [pid 5033] mmap(0x20000000, 11755520, PROT_READ|PROT_WRITE|PROT_SEM, MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 4, 0 [pid 5026] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 80.273203][ T5033] R13: 656d6974797a616c R14: 746e657478656f6e R15: 0000000000022000 [ 80.281191][ T5033]